Spectrum Analyser is a tool that is designed to help reverse engineer ZX Spectrum games & programs.It is a combination of an emulator, debugger & interactive disassembler. Programs are loaded and run in the emulator and their state can be inspected using the tools provided.
• Format memory as Byte, Word, Char Map, Bitmap etc.
• Breakpoints: break on code execution, memory access, NMI, IRQ, IN & OUT
• Fully annotated Sinclair ROM
• Self modifying code support
• Automatic code detection
• Automatic data detection
• Poke support
• Skoolkit import and export
• Character graphic memory search tool
• Z80 instruction informational tooltips
How does it work?
The traditional way to reverse engineer software is to manually determine which areas of the computer memory are code or data. A disassembler can then be used to produce an assembly listing of the code memory bytes. One way to achieve this is to observe the code running through a debugger.
This can be slow work – although some excellent tools exist to help with this process, such as IDA Pro or Ghidra. This process can be partially automated by using an execution trace file. This can help confirm which areas of memory are code if we know they have been executed.
Spectrum Analyser aims to automate as much of the manual process as possible. It has an emulator built in, which means it can automatically detect which memory locations are code when those locations are executed. The more you play the game, the more code it will uncover. However, Spectrum Analyser is very much interactive. You are free to manually mark up areas of memory as code if you prefer – without needing to execute the code in question. You do not need to tell Spectrum Analyser where the code ends – only where it begins. It will use static code analysis to work out where the code terminates.
Starting Off
When you open a game for the first time Spectrum Analyser will start from a blank slate. In this state, all memory locations will be formatted as byte data. This is the default state of memory that hasn’t been executed.
This is the same memory after the program has been executed. Spectrum Analyser has set the memory to code and added labels for functions in addition to branch destination labels.
These labels can then be renamed when you figure out what the code is actually doing. You can then add comments to the disassembly.
Screenshots
Here are some action shots of Spectrum Analyser. For best results you may need to download the images and view them full screen or open them in a seperate tab.
Acknowledgements
This program was built using the superb Chips emulator library by Andre Weissflog, the emulation in the analyser is done using this library: https://github.com/floooh/chips
For the UI, DearImGui is used (https://github.com/ocornut/imgui) which is without doubt one of the greatest pieces of open source software. Without it not only would the UI take much longer but working on it would also be exceedingly dull.
Spectrum Analyser contains a full disassembly of the Sinclair ROM. This was possible because of the skoolkit disassembly done by Richard Dymond. https://skoolkit.ca/disassemblies/rom/
Tutorial
Need help getting started using Spectrum Analyser, or just want to see how it works? Here is a tutorial. This doesn’t cover everything but it will get you started.